Android – The new battleground for software vulnerabilities

With over one billion Android devices activated, the platform’s popularity has inevitably caught the attention of malware creators. The opportunity to target such a huge audience and get more bang for the buck is not easily dismissed nor will it be any time soon.

There is another reason. Most smart phone users still consider the device to be a ‘phone’ and not a fully-fledged system that can almost do everything a desktop PC can. As a result users tend to ignore the security implications when using mobile phones. They are making a huge mistake because in some cases mobile phones pose a greater security risk than a desktop computer.

What security risk do mobile phones pose?

If, for argument’s sake, you’re an attacker who wants to steal confidential data to make a profit, your biggest challenge is gaining access to company’s system. Over the years, different methods have been used. Infected pen drives were left lying about in parking lots. Victims were lured to infected websites. Emails were sent with infected payloads.

These attack vectors are well-known to companies and measures are put in place to neutralise them. Businesses are aware that email and websites are prime targets for the bad guys and therefore they have invested in technology to prevent any weaknesses being exploited and breached. More and more employees know enough about security that USB drives can be infected. They are less likely to check out a USB drive they found in the parking lot on their work PC, let alone on their personal machine.

But is this level of awareness the same among mobile phone users? Do you think that employees realise that a mobile phone is, at the end of the day, not very different to a USB drive when they plug it into their PC to charge it or copy files to and from the device?

Furthermore, how many businesses provide wireless Internet in the office, and users are quick to connect to the network so they can access the Internet? If one user’s mobile phone has malware running on it, then the bad guys have a beachhead from where they can execute code or gain deeper access to the network. A sniffer running on that phone can potentially collect credentials sent in plain text on that network segment, including email credentials, telnet, FTP, basic web authentication and others.

Basically, Android-targeting malware could be a route into a network for attackers.

With every new technology, the discussion will often turn to how it will be misused and exploited by cybercriminals. Most of the initial discussion is theoretical – security researchers theorising how the new technologies in question might be targeted and exploited.

Is this the case with the Android platform as well? Yes and no. Yes, in that so far we aren’t aware of attacks or if any have taken place it was on a small scale and not of concern, for now. No, because malware already exists and some applications have the same functionality as ‘normal’ malware would. Android.Backdoor.Ssucl.A, for example,will infect Android phones and create three files in the root of the SD Card: autorun.inf, folder.ico and svchost.exe. It will exploit the autorun bug to install a backdoor on those machines that the infected android phone is connected to and is switched from charging to storage mode. It’s pretty much the same type of attack employed on that malicious USB drive left in the parking lot.

Then there are applications like the dSploit utility which, among other things, allows the harvesting of unencrypted credentials through Wi-Fi. We might not be there yet but the tools to perform these attacks are under development.

As with any platform smart phones need to be protected and secured. Most of the Android platform security is focused on the play store system and the phone’s application segregation. Their vetting process is the first and “last” line of defence for a large number of devices. Why “last”? It is true that the system tries to limit what an application can do and it’s also true that the device will ask the user to give permission to an application to do specific functions – but does any of this really help? I don’t think so, and that’s why I hesitate to even consider this an actual and effective last line of defence.

While Android applications are restricted in what they can do, they have full control the moment the phone is rooted (a process designed to unlock administrative access to user programs – by default this is disabled) and the malware then has administrative access. You don’t even need the malware to do the actual rooting because end users are likely to do so themselves.

Rooting their device allows them to run some applications that add some cool functionality to the phone (such as full backup functionality or even providing actual drive shares on phones that only support MTP file transfers).

You also find users installing custom ROM and all but one, as far as I am aware, come pre-rooted. On the only ROM that doesn't come pre-rooted, it only takes a click to perform the rooting process. On a genuine, unmodified Android phone, the rooting process is just not that simple.

We’re not talking one or two devices here: the most popular custom ROM has over 10.7 million users. This is probably a very conservative number as it only reflects the number of users who by choice reported their usage of that particular custom ROM.

The Android system also notifies the user what functionality an application intends to use. The user has to approve that access. The problem is that even for a professional it’s hard to distinguish if some of the functionality is legitimate and can be trusted or if it’s a malicious application or a legitimate application infected with malware.

The Google play service, for example, has access to your personal info, messages, location, phone calls / system tools. From a security perspective, most of that access should be a big ‘no, no’. Why would any application need access to your SMS or phone calls? I am pretty confident that every Android phone has Google play installed.

Some warnings do not work, even professionals ignore them; and they will not work because it is impossible to say if the permission requested is going to be used legitimately or not. Because most users will just click okay, permissions are abused and many applications request more access to information than they really need.

A mobile phone should to be treated no differently than any other computer system. Users need to be educated that there are risks using these devices and to follow best practices. This is the only way to protect and secure the device. While an official Android installation has a lot of security features in place to limit damage caused by malware, it is not fool proof because users can install other distributions which lack the same security measures. Users do so because they want more out of the device and are not restricted to apps in the play store.

Greater effort is required to secure unofficial implementations that have a lax security model. We should also be wary how phones interact with the network and with a host machine as this could be a popular malware infection vector and a foothold into the organisation.

Today there’s little difference between taking a phone to the office and connecting a laptop to the network. That is why security policies and procedures should be updated to reflect this development.

Copyright 2016 IDG Communications. ABN 14 001 592 650. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of IDG Communications is prohibited.